China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

Staff Editor 2026-06-12
China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

https://thehackernews.com/2026/06/china-linked-hackers-backdoored-linux.html

Publish Date: 2026-06-12 14:17:00

Source Domain: thehackernews.com

Swati KhandelwalJun 12, 2026Linux / Network Security

Instead of hiding on the laptops and servers defenders watch most closely, a China-nexus group spent close to a decade hidden inside the Linux login system itself.

Sygnia, which tracks the group as Velvet Ant, says it backdoored the PAM and OpenSSH components that decide who is allowed to sign in, planting its access where ordinary cleanup could not reach it. The network it targeted had no direct internet access, so the group first staged through internet-facing systems to get there.

The earliest traces go back to 2016. Instead of dropping new malware that a scanner might catch, the attacker changed the trusted login programs themselves. Nothing obvious appeared, and no exploit was needed, so the activity looked like normal administration.

On many machines, the attacker replaced the main PAM login module with backdoored copies. Some let them in with a secret password; others quietly recorded real usernames and passwords as people logged in.

Researchers found nine separate versions. The OpenSSH programs were altered the same way, logging credentials and every command typed, with a hidden switch to turn that logging off when needed.

Reaching the isolated network at all took extra work. The attacker used other disguised tools and an internet-facing web server as a bridge, passing commands through it to open remote sessions deep inside the segment that had no direct internet access.

Because the login system itself was compromised, normal containment did little. Password resets and killed sessions do not help when the thing that checks those credentials is working for the attacker.

This is not new for the group. Each time defenders find one foothold, Velvet Ant moves to gear they watch less and sets up there. In a 2024 case, Sygnia found the same actor turning internet-exposed F5 BIG-IP appliances into internal command servers.

Later that year, it reported the group exploiting a Cisco NX-OS flaw,…

Source

More Stories

AMD Opens Pre-Orders For The Linux-Friendly Ryzen AI Halo Developer Platform

AMD Opens Pre-Orders For The Linux-Friendly Ryzen AI Halo Developer Platform

Staff Editor 2026-06-12
Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

Staff Editor 2026-06-12
MX Linux 25.2 arrives with switchable init and Pi refresh

MX Linux 25.2 arrives with switchable init and Pi refresh

Staff Editor 2026-06-12

Terms and Conditions - Privacy Policy